导航

Python:处理不是经由EXPORT出來的Windows日志

Posted on 2013-01-11 09:58  moose  阅读(1036)  评论(0编辑  收藏  举报

问题描述(需求地址):

在A机器上的日志(*.Evt)文件在A机器上可以直接读取,但是我将A机器上的日志文件拷贝到B机器上打开的时候,就会提示文件已损坏。

 

解决办法:

1. 首先找到 0x11111111222222223333333344444444 將之后16bytes 抄下,这16bytes会在0x28000000前,

2. 回到文件开头,把这16bytes从第17byte开始复写到32byte,

3. 最後再改第37byte的值為 0x08,就可以读进事件管理器了。

 

Python脚本:

 1 import os, sys
 2 import binascii
 3 import time
 4 
 5 def convertfile(infile, outfile):
 6     
 7     fread = open(infile, "rb")  
 8     findedstr = ""
 9     
10     while 1:
11         strpart = fread.read(8192).encode('hex')
12 
13         '''if at the end or less than 32 char'''
14         if strpart == "" or len(strpart) < 32 :
15             break
16 
17         strposition = strpart.find("11111111222222223333333344444444")
18         if strposition <> -1:
19             '''if pos at end'''
20             remainstrlen = len(strpart)-strposition - 32
21             if remainstrlen < 64:
22                 findedstr = strpart[strposition+32:] + fread.read((64-remainstrlen)/2).encode('hex')
23             else:
24                 findedstr = strpart[strposition+32:strposition+64]
25                 
26             break
27         
28         '''get top32 char and end32 char'''
29         prepartendstr = strpart[-64:]
30 
31         '''read next 64 char'''
32         nextpartstartstr = fread.read(64).encode('hex')
33         joinstr = prepartendstr + nextpartstartstr
34 
35         strposition = joinstr.find("11111111222222223333333344444444")
36         if strposition <> -1:
37             remainstrlen = len()-strposition-32
38             if remainstrlen < 64:
39                 findedstr = strpart[strposition+32:] + fread.read((64-remainstrlen)/2).encode('hex')
40             else:
41                 findedstr = strpart[strposition+32:strposition+64]
42         
43             break
44 
45         fread.seek(-64,1)
46         
47     fread.close()    
48     print "String find: %s"%findedstr
49 
50     '''reread and write to new file'''
51     reread = open(infile, "rb")
52     fwrite = open(outfile, "wb")
53     partcount = 1
54 
55     while 1:
56         instr = reread.read(8192)   
57         if instr == "" :
58             break
59         
60         if partcount <> 1:
61             fwrite.write(instr)
62         else:
63             instr = instr.encode('hex')
64             instr = instr[:32] + findedstr + instr[64:]
65             instr = instr[:72] + "08" + instr[74:]
66             fwrite.write(instr.decode('hex'))
67             
68         partcount += 1
69 
70     fwrite.close()
71     reread.close()    
72 
73 
74 
75 if __name__ == "__main__":
76     if len(sys.argv) == 1 :
77         infilepath = raw_input("Please input the path of EVT file -> ")
78         outfilepath = infilepath[:infilepath.rfind(".")] + ".new.Evt"
79     elif len(sys.argv) == 2 :
80         infilepath = sys.argv[1]
81         outfilepath = infilepath[:infilepath.rfind(".")] + ".new.Evt"
82     elif len(sys.argv) == 3:
83         infilepath = sys.argv[1]
84         outfilepath = sys.argv[2]
85     else:
86         print "Error args ."
87         raw_input("")
88         sys.exit()
89     
90     starttime = time.time()    
91     print "Running..."
92     convertfile(infilepath, outfilepath)
93     print "Done ."    
94     endtime = time.time()
95     print "Time used: ",(endtime - starttime)," s"

 

错误截图: